Dropbox and BoxCryptor: The Dangers of Encrypting Your Digital Life

In my never ending quest to get organized, I’ve been forced to explore the world of encryption. I set up Dropbox to use as my primary drive for all my digital document filing. Because my Dropbox files are replicated to all my machines at home and work this has caused a security problem at work. We’re not allowed to store sensitive data on our local drives, and my own files will set off their security scanner. So I’m being forced to encrypt my own documents. Normally Dropbox encrypts your files for transfer over the net and at their storage site, and I’ve considered that good enough security. However, I started thinking what would happen if someone came into my office when I just had stepped out. Before Windows times out and locks my machine, people could see my home files in Dropbox, so I felt it was the time to study encryption programs.

We’re being forced to use TrueCrypt and BitLocker at work, so I was having to learn about this topic anyway. It’s a scary subject because if you’re not careful you’ll lock all your critical files into an encrypted volume and you won’t be able to open it again.

At first I thought I just set up a TrueCrypt volume inside of Dropbox, but I read there were some issues with that. Dropbox sees TrueCrypt as a single file, so if you have a gigabyte of data locked down, that’s a lot for Dropbox to handle over the internet. Doing some Google research I discovered BoxCryptor. BoxCryptor encrypts file by file, so the overhead for Dropbox is much lighter.

BoxCryptor is free for personal use as long as you only create one virtual drive. BoxCryptor creates virtual drives. Save something to its drives and it’s automatically encrypted. It works with Dropbox, SkyDrive and other cloud drive services, as well as regular drives. After you install BoxCryptor you mount the drive and use this access point to see the files unencrypted. If you don’t mount the drive and browse to the BoxCryptor folder within Dropbox you’ll see your files, but they won’t open. And evidently, with the free version, you’ll see the filenames unencrypted, they just won’t open. It appears if you buy the full version ($44.99), it will encrypt the filenames too, if you want.

Encrypting your files can be dangerous. If you forget your password, kiss those precious documents goodbye. Unless you’re a master NSA hacker, you’ll have no chance of ever opening them again. Also, there’s a file listing in your BoxCryptor folder called .encfs6.xml. Delete it and access to your files are long gone too. Wow-wee – just thinking about all this makes me nervous.

Using encryption is not for the unfocused mind or scatterbrain user.

Here’s the thing. We’re moving into an age where all our personal information is digital. It’s our responsibility to back up our digital life. Dropbox is a good way to do that, but Dropbox stores your files in the Cloud. If you’re paranoid about who can see your files you’ll need to think about encryption.

Encryption takes extra work, extra precautions and can be a very risky endeavor if you’re careless.

Some people encrypt files because they worry that Cloud storage sites might peek at the good bits in their private files. Other people encrypt their documents because they’re afraid their computers will be stolen and bad guys will steal their identity. Still other people encrypt files because they don’t want people at home or at the office to mess with their stuff. Criminals encrypt files because they don’t want the police or FBI use them as evidence. There are many reasons to encrypt files. You have to decide if its worth the effort.

When you encrypted a folder with BoxCryptor or TrueCrypt you’ll have to create a strong password that you must not forget, and you’ll be required to save a configuration key file that you should backup carefully. If something happens to your machine and you want to recover your files from a backup to a new machine, you’ll need that configuration key file.

If you encrypt your life its very important how you handle the password and configuration key. If your documents are very important you might want to put your passwords and keys into your will. If a husband encrypts all his financial records and then dies, his wife won’t be able to see them. If you’re an author and you last manuscript is encrypted, it won’t get published unless you’ve made provisions for your heirs to unlock it.

And it’s important how you configure BoxCryptor. If you want to just hide your files from Dropbox, just use the defaults. If you want to hide files from people that can access to your computers (either at home, work or at the thieves hideout), then don’t configure the mount drive to automatically remember the passwords.

Good article on BoxCryptor. One tip to avoid the pitfall of loosing access to all your file: Backup! No excuses for forgetting your password, but if that XML files damaged or deleted you need a backup of your files somewhere safe (outside of BoxCryptor) in the same way you’d need a backup in the event of a drive failure.

I use Dropbox to safely sync files between home, work and mobile devices. I use BoxCryptor in case any of those mobile devices are lost or stolen. As I consider my home to be safe and secure I simply backup Dropbox to an external drive weekly. That includes my BoxCryptor files in encrypted form and the XML file. So, I believe, if I ever lose the XML file I should be able to recover it from backup.

The XML file is a key, not a file list, so you only need to back it up when you first set up a BoxCryptor drive. So, even if you don’t do a local backup of all your files, at least put a copy of this key on a CDR or a second drive on your main PC if you have one, for safe keeping.

As a “not-ever-going-to-fully-recover-but-did-make-it-out-alive-though-altered-emotionally-for-life” survivor of my encrypting disaster, I can only offer this bit of advice to those about to protect their stuff: make certain your health and life insurance policies are as encompassing as possible. When I lost ALL of my passwords, and EVERYTHING else of importance in my life to an app on my iPod Touch, I wanted to simultaneously shoot myself, slit my throat, and jump of a bridge. The only thing that saved me was it took hours to find the gun, was out of ammunition, the knives were all dull, and I never did find a bridge within a hundred miles of here high enough to jump off. The app was state of the art, as was the encryption methodology, and my password so “super-duper” as to have qualified as a masterpiece. What wasn’t known to me was that if you entered the password three times in a row, and those entries were wrong, the app would devour everything, with no possible way to retrieve the data. Save yourselves people! Oh, and best of luck.

That’s the kind of encryption story that makes me think I’d be better off risking hackers finding my personal stuff. So far I haven’t trusted everything to BoxCryptor. I kept a copy of my stuff on my main computer that’s not encrypted.

To store ALL of your passwords on your device was a huge classic error. NO BUENO my friend. A password you can not remember is of no value. And to have multiple of those is a sure plan for a suicide mission. LOL

Personal encryption pose these problems. Of-course losing even one employee password will be a total disaster in a business. Another problem is that you need to give the password away for Dropbox sharing of encrypted files which is probably the most important place to apply encryption.

Take a look at Sookasa – http://www.sookasa.com. We address enterprise level Dropbox encryption and compliance (mainly for legal and healthcare) we will offer a free version too.

An independent review made for New York State Administrative Law Judges Association by judge Eric Zaidins:

Thanks for the writeup, James! It’s helpful to weigh the pros and cons of encrypting our digital lives. We can too tightly guard our data and possibly lose access to it if we’re careless. Or we could possibly open ourselves up to identity theft, etc., if our laptop is stolen and our sensitive information is easily accessible. It’s definitely a balance!

Within the latest version of Boxcryptor your username, KEYS AND PASSWORD are stored on the server of Boxcryptor. For when you login through the Web, Boxcryptor asks for your PASSWORD in order to identify you. ( https://www.boxcryptor.com/app/ ) Thus IMHO Boxcryptor is inherent UNSAVE (since the people of Boxcryptor know your keys AND password AND can decrypt your files in Dropbox or any other cloudstorage you happen to use. Or am i mistaken somehowe? What is your response to this?

This is an interesting situation. I’m still very afraid of trusting Boxcryptor completely because if I loose my password, or it fails to work, I’ve lost access to some very important files. Right now my solution is to have an un-encrypted backup, but that’s a pain to keep two file systems in sync.

Depending on how Boxcryptor holds your keys and passwords that might offer a kind of safety net. What I worry about is other people seeing my financial records, like a burglar stealing my computer or iPad. If I felt safe assuming that people at Boxcryptor didn’t look at my files, and we often trust institutions with our data not to misuse it, then it might be safer to have a credible agency protecting a copy of our passwords and keys.

This is why I’ve always wanted the creation of a Federally monitored Data Bank – like we have for money banks.

I thought I would try to clarify something about passwords. The Boxcryptor application on your computer asks for your password, but the password is never transferred to the servers or anywhere. Here is the quote from the Boxcryptor website:

“Boxcryptor is a zero-knowledge service provider because any private and sensitive information that we receive from the users will always be in the encrypted form protected by the user’s password – which is never transferred to us or anyone.”

The people at Boxcryptor cannot decrypt or access your files. That is what makes it zero knowledge.

Nice article, but there is one correcton that ought to be made.
to wit: Truecrypt updates block by block in DropBox. Therefore, if you change one file, only the blocks containing that file (actually just the blocks containing your changes!) will be updated by DropBox. The process can been faster than BoxCryptor. Go ahead a try it.
Thanks for the warning about encfs6.xml. I agree: wowwee! All that work and to rely on the integrity of a single HTML file…

When I think about encryption, my main concern is identity theft. There are a lot of files on my computer that are not at all sensitive. There is no real point in encrypting them. However, I do have files that could do a lot of damage to me and others in the hands of an identity thief, ranging from financial records to tax files.

I use Dropbox, Google Drive and Skydrive to back up documents. In addition, I back up files to a local drive. Even though files are encrypted on these services, the opportunity exists for an employee of one of these companies to steal this data. That is one point to consider when thinking about encryption. The other main concern is the theft of your computer, especially if it’s a laptop. If you have sensitive files stored on it without encryption, you are seriously at risk.

My recommendation is to do both local backups in a raw form as well as cloud backups. Both the cloud backups and data on a local hard drive should be encrypted. That local raw backup should be properly stored-in a safe if possible, or in a place that a thief wouldn’t really look. There will be places, even in a small apartment, that a thief will not bother with. They want to get in and out fast.

Lastly, make sure that spouse or family member has the encryption key and/or knows where that backup drive is.

One other thing to consider. Think about the viability of these services as companies. It makes little sense to back up a lot of data to a company that might not exist tomorrow.

I find it a bit frustrating that Truecrypt is not yet ready for Windows 8. It was launched nearly a year ago. I know this is open source software so development takes some time, but it does raise concerns that I might not be able to access my encrypted files if I get a new computer. Shame on MS for not making Bitlocker available on all Windows 8 systems.

This is a really good article.
I was going to encrypt all my photos on skydrive howevernow I’m thinking of leaving them unencrypted.
If anyone hacks the photos, not the end of the word.
Most importantly they will be there for my children to keep rather then losing them to encryption.

Hey. Tx for this great article. Right now I’m putting a lot of (private) stuff on dropbox. And I’m not comfortable with this.I will encrypt some of it soon, no doubt. Here is my share of ideas for those who care 😉

I use keepass and very complex passwords for all my needs. Keepass uses an encrypted database. Therefore I don’t really need to encrypt it.

All the other critical data will be encrypted. I can’t lose my key as is will be in keepass. Keepass also allow to save files. So the XML will be there too.

Additionally, I will plan a backup of uncrypted data from my home computer to an encrypted tar file which will be uploaded to a remote server or any cloud backup storage, In case of corruption, I will be able to restore from that encrypted file. I will also keep it’s key into the keepass database.

The weak point here for sure is my memory, and most of all my keepass database 🙂 The next thought to have is how to ensure I will always be able to access my keepass data again if I lose the key to it: ) But hey… Then, there is always a weak point in life. How weak depends on the time and money you want to spend to make it better, doesn’t it ?

A way of limiting the risks is to send regularly a copy of the DB to a family member for example, and keeping the password in a safe in a bank somewhere. Or, a copy of the DB to a close friend or family member, and the password to an other one. Preferably people who don’t know each other or hate each other 🙂 So they won’t plot against you 🙂

All this sounds a bit heavy, but it’s quite easy to put in place, and possible for anyone, or almost.

Last point, you should think of put some of the information about that into your testament ! Your life is digital. So will be the heritage of your heirs

I’m still trying to figure out how to perfectly store my digital life in Dropbox. I’d like a single solution to storage, backup and security. I don’t know if Dropbox is that or not. Yesterday a friend corrupted a major file she worked with that was saved on Dropbox. She did it at work, but then brought her laptop over to my house. Before we realized it, Dropbox had connected to my wireless and overwrote the file on her laptop’s Dropbox folder. She had no other copies of the file.

I told her if she paid for Dropbox and bought the unlimited undelete that would have at least gotten her an earlier version of the file. Since I also use the free version I’m not worried.

Coming up with a secure system for both protecting files and hiding them is hard.

just an FYI … you can select what folder you sync up at your work PC … you dont need to syn up all from Dropbox. Two – dropbox does have the ability to do a hash at a block level so even if you change 1 file on your trucrypt 1GB file it will take second to sycn it up … it wotn take hours. Googl Drive does not do de-duplication so yes in that case it will take hours.

I experienced the following:
I moved a lot of files to BoxCryptor – and due to some “read errors” it took a lot of time. Finally I thought that everything was there, so deleted my unencrypted copies.
Now I’m trying to use some of the files and I find that many of them are only ZERO bytes large.
So I lost a LOT of my data…

Have you contacted BoxCryptor? I hope you have a backup. I was too afraid of BoxCryptor to trust it with my only copy of files. In fact, I recently gave up on encrypted files because it was too much trouble to make sure I had a backup of everything I was encrypting.

You wrote, you MOVED your files to BoxCryptor and then deleted the unencrypted copies. Maybe i misunderstand you, but It sounds like you deleted the files in the virtual (BoxCryptor-)drive, which would mean that Boxcryptor will naturally delete the encryted ones, because the (virtual) cleartext files and the encryted ones are physically the same!

I used Boxcryptor to keep an encrypted volume on Dropbox which was accessible from my iPhone, iPad and Macbook, I used the latter to update files and read them on the idevices. Super. Then I updated my Macbook to Mavericks and Boxcryptor refused to open the encrypted volume. A Google search with threads going back 6 years suggested the problem was with ports and there were some terminal commands to run to fix it.

This is the 21st century, not every home user is computer savvy (I am but I left the Windows world to get away from all this), so I deleted the encrypted volume and uninstalled Boxcryptor from all devices. Lucky I used the encrypted volume as a backup and not to keep original files. Just goes to show that Cloud technologies are not stable enough to use for critical and confidential files storage.

Seta, this is why I was trying to warn people that using encryption can be dangerous. Ultimately you want your encrypted volume to be your primary volume that you can completely trust, but because of problems, you have to make it a backup volume. This causes problems with keep files update-to-date and in sync. Thus it becomes iffy about keeping encrypted files in the cloud. There are cloud services that offer better encryption than Dropbox, but they aren’t as convenient.

I am working in a company that provides encryption and security to Dropbox so this thread is very interesting for me.

The main question is why you feel you need to encrypt your data in the cloud in order to hide it from say Dropbox, but you seems to trust your bank which has IT, temporary employees and is audited by many external bodies. Many also trust their email provider with sensitive data.

We believe that there are 3 risks in maintaining your data in the cloud. Btw, these risk are true for both file sharing and email:

1. The device sync problem. You data sync on many devices which are not encrypted or even password protected. Most HIPAA breaches were because of losing a device (laptop, phone, flash drive).
2. You and your sharees are making mistakes. File sharing is not only about sharing between you devices but also about sharing across professional and personal circles. If you share a lot your files are distributed also to your partners devices.
3. The cloud provider can access your files or somebody can break to your account. Frankly, this is probably the least of the problems. You can also easily mitigate this risk by using super power password or two factor authentication. Guess what, most users do not.

For a while, I used BoxCryptor to encrypt some files because I had
Dropbox on three work computers (PC, Mac, Linux) and work was running checks to see if we were exposing private data. Since I retired, that’s no longer a problem. All my computers are at home, and I’m not worried about Dropbox people sneaking a peak at my files.

That’s why you don’t let Windows “time out” as you walk away. There are keyboard shortcuts that either exist or you can easily set up to lock your computer in a single, quick keyboard stroke.

Heck, when I catch people at work that leave their computer open, I hop on and send an embarrassing mass email from their account to teach them a free security lesson (I should be charging them for it).

The managers and bosses never get mad at me because when the person gets mad at the “masked, good-looking vigilante”, I’ll defend “him” and say – “He’s making sure you are in the habit of protecting company assets. Security is a process, not a product.”

First of all, you need to proofread your posts and comments. You write “peak” when you mean “peek” and “loose” when you mean “lose”.
Second, you said “The plus about hooking Dropbox to a computer out of the house is it gives you an off-site backup.” Dropbox already HAS an off site backup. A copy of your data is on Dropbox’s servers.
Third, if you use a password manager like LastPass or OnePass then at least you only have to remember one password and you can use really long, secure, and different passwords for each and every one of your sites because lastpass remembers them all for you.
Fourth, if you are concerned about securit you should be using two-factor authentication, such as an app on your phone that generates a code that you must use when you try to log in.

Thanks. I’ll fix the grammar errors. I’ve been thinking about using a password manager but I don’t quite trust them yet, and I’ve been switching to two-factor authentication. I wrote this a long time ago.